Solved: access-list assistance

bberry · ‎05-10-2017

Hello all,

I need some assistance on tweaking an access list template that we have been using for a while. I created this template to limit the exposure some of our older devices have access to to offset the fact we cannot improve the security they are using or to limit the device access to a specific server so machine operators can not use them for other things. This template is working in conjunction with a DHCP pool and has been working fine for what we have created. The template basically has access to the default gateway, DNS and then the few servers the devices need to access. Sounds simple enough and is something like this...

access-list 119 permit ip any host 192.168.28.129 - default gateway
access-list 119 permit ip any host 192.168.33.13 - DNS #1
access-list 119 permit ip any host 172.16.4.247 - DNS #2
access-list 119 permit ip any host 192.168.37.252 - Single file server
access-list 119 permit ip any 172.16.4.0 0.0.0.255 - production network
access-list 119 deny ip any any log

I created a new subnet for new devices our floor engineers are going to use to maintenance and repair networked presses. Created the associated DHCP pool and access-list. When we try to bring these devices on line they cannot get an IP address. If I lift the access list they have no problem getting an address and working normally. The only real difference I have discovered so far is that these laptops run Ubuntu and all our other devices are windows based. If I create an access list for permit ip any any log to see what all is going on I do see

%SEC-6-IPACCESSLOGP: list 119 permitted udp 0.0.0.0(0) -> 255.255.255.255(0), 1 packet

It seems if I include any type of permit for the address space this always becomes a denied and the device cannot get an IP address.

I am trying to figure out if this is just something with Ubuntu or figure out how to tweak the access list to keep everything restricted but still allow the 0.0.0.0 to be permitted. I have tried different combinations for the default gateway from the single address above to the subnet with both a standard mask as well as the inverse mask. Nothing seems to be working.

Is my thought process wrong or am I just doing something incorrect in the access-list?

Thanks

Julio E. Moisa · ‎05-10-2017

Hi,

Please correct me if I understanding wrong the question, the PCs are not obtaining IP from DHCP server, that is correct?

Try to include these lines:

access-list 119 permit udp any host 255.255.255.255 eq bootps
access-list 119 permit any eq bootpc udp host 255.255.255.255 eq bootps
access-list 119 permit udp any host 255.255.255.255 eq bootpc

In order to modify the sequence or remove any entry in a numbered ACL you can use:

ip access-list exten 119
5 access-list 119 permit udp any host 255.255.255.255 eq bootps
6 access-list 119 permit udp any host 255.255.255.255 eq bootpc
7 access-list 119 permit udp any eq bootpc host 255.255.255.255 eq bootps

or try with, just allowing the access to specific ports related to DHCP:

ip access-list exten 119
5 access-list 119 permit udp any any eq 68
6 access-list 119 permit udp any any eq 67
7 access-list 119 permit udp any any eq 139
8 access-list 119 permit udp any any eq 138
9 access-list 119 permit udp any any eq 137

How initially the computers dont have IP, they will use a broadcast IP to find a DHCP server

* Remember if you delete a numbered ACL you will delete all of them, that is the reason I recommend ip access-list exten 119 to avoid any impact, also show access-list is useful.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎05-10-2017

Hi,